When a computerized system experiences a software bug, a hardware failure, or sabotage, it may fail to do its intended job. This is an undesirable consequence which may lead to the loss of valuable data, unhappy customers, and perhaps an inability to charge for services being provided by the computer system. However, in some critical situations, it is much more than a mere undesirable consequence. For example, when a computer system is employed in a manner that affects health and safety, such as an airplane flight control system or medical equipment, human lives may be at stake. In addition, when a computer system may be employed to manage secure or otherwise confidential data, such as in connection with a secure communication system, a security breach may result. In these and other critical situations, a need exists to assure that a computer system actually does its intended or needed job.
Conventionally, providing assurances that a computerized system actually does its intended job has been a monumental problem. As the job a computer system does becomes more complex, so does the software which defines the job. As software complexity increases, the difficulty of the analyses needed to provide assurance that the computer system is doing what is intended likewise increases. In fact, the assurance problem increases exponentially with software complexity due to the exponentially increasing combinations of possible interactions between increasingly complicated software programs.
A known technique for managing the exponentially increasing difficulty of providing assurances for a complex software job is to break the entire job into isolated programs or processes, individually analyze each isolated program to assure a trusted status for the individual program, and then take steps to guarantee that the isolated programs remain isolated. Conventionally, computer systems have used multiple microprocessors to perform a corresponding number of isolated programs, and the multiple microprocessors communicate with each other only through highly constrained communication channels. In addition, the microprocessors are often used in simple architectures which may, for example, have little or no interrupting capabilities. The use of multiple microprocessors, simple architectures, and constrained communication channels limits the scope of interactions between the programs. The limited interactions between the programs allow the programs to be analyzed separately, which makes the assurance problem manageable.
However, the technique of using multiple microprocessors in simple architectures is an undesirable solution to the assurance problem. Multiple microprocessor computer systems tend to be expensive to manufacture, expensive to design, and inflexible. Moreover, this technique prevents the computer systems from exploiting advances in microprocessor designs.
Computer architectures are known which provide supervisor and user modes or privileged and unprivileged modes of operation. Typically, supervisor or privileged modes allow complete access to a computer system while user or unprivileged modes allow access to only restricted areas. These architectures typically address the problem of limiting damage which may be done by users or during unprivileged modes. They do not truly isolate programs so that their potential interactions remain manageable and assurances may be provided that the computer systems are operating as intended.